From nobody Sun Jun 25 23:39:13 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qq6rM2tSgz4hbJx for ; Sun, 25 Jun 2023 23:39:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qq6rL6X58z3tZ9 for ; Sun, 25 Jun 2023 23:39:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687736355; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZNTUXDWPIL7N9iCkPM01YSvLHPFaJ/8elQn4lxGlgj4=; b=tyMWGFiVPKfqELmde73jypnueZ8A4+9zvop3s06Om+mtnX6u/LQUQAXEeHcsJSh+kV0QyU vdzorMLc2WTyVPuphQSi1498faLf7qxXtHlV+DEYvHY4N/pW7M/bJza9YqKfhwwHBGCPkx coAOcL+lTyRhONQ9hGhbuoROfSdOcXp7x0L7+zueaizwpal1RTcpqmGPsqsIG99fhlfdtk Tv0F248VXh9r3PAo2UklSmJV6qCRHNy4jnUJ8D8pECl0q7EEJBaGfZvl8hmTK0Vj2trjqi zdZLqYxe/3JC4POuNiJL7ibLkIv+KXGkwHhGhuiiOnP3OSF+dz8LKcAimqKkbA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687736355; a=rsa-sha256; cv=none; b=OaChAt+Bc2w0JdZNiPsrzHL5MdFziLI6pR6BxIV5e7YUdar8sI/OdpRa6m7O23fSWJF8Jw Ns9rokrUOW4Yz4VpQC4UoulkG4nsESzK+GPgUCoW9Yx9Yz9yG2k6p9HpTDRHziGdzx/Jce zZG6y39cUmaw97HDGGuTCdV3kUM6sh4KIJzeyRwJ+UheOPL8XyRtQmVpbarl+ls7Gu5f4M 4uR8qgusUJINLAyk6jgaIRJ85uHTUgIaZx+AvOL/6pOEklf9EMotZdhfFI+NEzJxKKYsWg 7HNgPf7PxdRc8RQ3MoMYeL3w+Sew1L5oMh+0gF7jvU2urvitB4ZWy11UIfy+jg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qq6rL5BlTzn1t for ; Sun, 25 Jun 2023 23:39:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35PNdEjC001811 for ; Sun, 25 Jun 2023 23:39:14 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35PNdECn001810 for bugs@FreeBSD.org; Sun, 25 Jun 2023 23:39:14 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272151] panic: use-after-free tty race condition Date: Sun, 25 Jun 2023 23:39:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: crash X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: rew@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272151 Robert Wing changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rew@FreeBSD.org --- Comment #2 from Robert Wing --- The issue seems to be caused by knlist_clear() with the way it sets up the knote with EV_ONESHOT. The event for the knote is triggered after the TTY is revoked and the thread no longer holds the TTY lock when the knote event is called. I'd halfway assume that knotes shouldn't be triggered if the TTY was revoke= d, which might look something like: https://people.freebsd.org/~rew/tf-revoke.patch or maybe it makes sense to delete the knotes when the TTY is not opened? something like: https://people.freebsd.org/~rew/tty-knote.patch or...some other behavior is expected? either way, both of the patches above prevented the panic from occurring. To reproduce, spin up a vm and execute the following: - launch nvim - suspend nvim (ctrl-z) - poweroff (panic) --=20 You are receiving this mail because: You are the assignee for the bug.=